runtime: refactor hypervisor devices cgroup creation

Separatly added hypervisor devices to cgroup to omit not relevant warnings and fail if none of them are available. Fixes #6656 Signed-off-by: Balint Tobik <btobik@redhat.com>
2025-08-27 20:18:57 +00:00 · 2025-04-08 14:20:49 +02:00 · 2025-04-08 14:20:49 +02:00 · a4d3f813c2
commit a4d3f813c2
parent f04bb3f34c
1 changed files with 30 additions and 6 deletions
--- a/src/runtime/pkg/resourcecontrol/cgroups.go
+++ b/src/runtime/pkg/resourcecontrol/cgroups.go
@ -8,6 +8,7 @@
 package resourcecontrol
 import (
 	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
@ -50,7 +51,7 @@ type LinuxCgroup struct {
 	sync.Mutex
 }
-func sandboxDevices() []specs.LinuxDeviceCgroup {
+func sandboxDevices() ([]specs.LinuxDeviceCgroup, error) {
 	devices := []specs.LinuxDeviceCgroup{}
 	defaultDevices := []string{
@ -68,14 +69,33 @@ func sandboxDevices() []specs.LinuxDeviceCgroup {
 	// In order to run Virtual Machines and create virtqueues, hypervisors
 	// need access to certain character devices in the host, like kvm and vhost-net.
 	hypervisorDevices := []string{
-		"/dev/kvm",         // To run virtual machines with KVM
+		"/dev/kvm",  // To run virtual machines with KVM
-		"/dev/mshv",        // To run virtual machines with Hyper-V
+		"/dev/mshv", // To run virtual machines with Hyper-V
 	}
 	virtualDevices := []string{
 		"/dev/vhost-net",   // To create virtqueues
 		"/dev/vfio/vfio",   // To access VFIO devices
 		"/dev/vhost-vsock", // To interact with vsock if
 	}
-	defaultDevices = append(defaultDevices, hypervisorDevices...)
+	hypervisorDeviceAdded := false
 	for _, hypervisor := range hypervisorDevices {
 		hypervisorDevice, err := DeviceToLinuxDevice(hypervisor)
 		if err != nil {
 			if !os.IsNotExist(err) {
 				controllerLogger.WithField("source", "cgroups").Warnf("Failed to add %s to the devices cgroup: %v", hypervisor, err)
 			}
 			continue
 		}
 		devices = append(devices, hypervisorDevice)
 		hypervisorDeviceAdded = true
 		controllerLogger.WithField("source", "cgroups").Infof("Adding %s to the devices cgroup", hypervisor)
 		break
 	}
 	if !hypervisorDeviceAdded {
 		return []specs.LinuxDeviceCgroup{}, errors.New("Could not add any hypervisor device to devices cgroup")
 	}
 	defaultDevices = append(defaultDevices, virtualDevices...)
 	for _, device := range defaultDevices {
 		ldevice, err := DeviceToLinuxDevice(device)
@ -128,7 +148,7 @@ func sandboxDevices() []specs.LinuxDeviceCgroup {
 	devices = append(devices, wildcardDevices...)
-	return devices
+	return devices, nil
 }
 func NewResourceController(path string, resources *specs.LinuxResources) (ResourceController, error) {
@ -168,7 +188,11 @@ func NewResourceController(path string, resources *specs.LinuxResources) (Resour
 func NewSandboxResourceController(path string, resources *specs.LinuxResources, sandboxCgroupOnly bool) (ResourceController, error) {
 	sandboxResources := *resources
-	sandboxResources.Devices = append(sandboxResources.Devices, sandboxDevices()...)
+	sandboxDevices, err := sandboxDevices()
 	if err != nil {
 		return nil, err
 	}
 	sandboxResources.Devices = append(sandboxResources.Devices, sandboxDevices...)
 	// Currently we know to handle systemd cgroup path only when it's the only cgroup (no overhead group), hence,
 	// if sandboxCgroupOnly is not true we treat it as cgroupfs path as it used to be, although it may be incorrect.